After much wait and speculations, the Justice BN Srikrishna committee finally submitted its report on data protection, along with a draft of Data Protection Bill, on 27 July. The report, titled “A Free and Fair Digital Economy — Protecting Privacy, Empowering Indians”, was handed over to Union Minister for Electronics and IT, Law and Justice Ravi Shankar Prasad. In response to the report and its legislative proceeding, Prasad assured that the government would go through the draft Bill, take inputs from the stakeholders concerned and address the Cabinet before finalising the legislation.
He did not set a definite timeline to the same.
The said committee was formulated on July 31 last year. In regard to the committee’s inception, the timing was quite fascinating; a month after its formulation, the Supreme Court delivered its astounding judgement that interpreted the Right to Privacy as one of the fundamental rights. Last year, the ten-member committee was assigned the tremendous task of chalking out a comprehensive data protection framework that would balance the scales of data usage and user privacy. And now, the report has finally made its entrance into the public domain.
The 176-page report has a lot to offer to the much-discussed, and equally debated, arena of data usage and its protection, and the committee has traversed great lengths to achieve the same. However, many are saying it has travelled afar from what it actually started out to achieve. Here are some of the key highlights from the report.
- Restricting processing of “personal data”
The committee made it a point to prioritise user as well as data safety. As per one of the committee’s recommendations, the collection and processing of personal data should be done for “clear, specific and lawful” purposes. The report further entails that, “Personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.” At the same time, the report prescribed that the Central government should refrain from handling data from companies which deal with the collection and processing of foreign nationals’ data. For observing these recommendations the committee went as far as defining “personal data”. According to the report, the definition of personal data will have its roots in identifiability.
- Localisation of data
This specific suggestion by the committee is, to say the least, quite problematic. The committee recommends that storage of personal data be carried out in such a manner that all data, pertaining to Indian nationals, be stored on servers located within India. It further suggests that data transfer outside of the country must be subjected to various security clauses. This particular suggestion turned out to be quite controversial. Why? Well, localising data in a world that thrives on globalization is not a recommendation people will be willing to whole-heartedly embrace. India — with the second largest Internet user base — specifically, might not be tailor-made for such a ‘domestic’ approach.
- Allowing the State access to “Personal Data”
The report implies that the State has full access to its citizens “personal data”, and has the right to process the same, if the same is considered to be significant in the proper functioning of the State Legislature. This suggestion by the Justice BN Srikrishna committee is surprisingly vague in its attempt to classify ‘matters of the State’. This pointer allows the government an unlimited and unrestricted access to the personal data of its subjects without defining the boundaries of the same. Such a situation can further develop into misuse of information, hence puncturing the Right to Privacy of people.
- Establishment of a Data Protection Authority
The committee recommends the formulation and establishment of a Data Protection Authority (DPA). This organization is expected to ensure and protect the interests of people, not to mention their data. Regarding the same, this organization is expected to publish Codes of Practice. The DPA holds the power to check, enforce and protect the rights of all data processors. To achieve this, the DPA may define and enforce penalties for anyone who misuses data.
For the purpose of “bolster[ing] data protection”, the committee has recommended certain amendments in the Aadhaar Act 2016 and the Right to Information (RTI) act, 2005. One of the committee’s suggestions for the Aadhaar Act (2016) is to ensure the autonomy of UIDAI (Unique Identification authority of India). The idea, as stated, is to even individual as well as public interest in an increasingly data-consuming world.
The report, like every other thing, has its pros and cons. On one hand, the report presents a comprehensive front for ‘protected’ data utilization in a country which is devoid of any such framework. However, on the other hand, the report fails to clearly set and define the government’s jurisdictions vis a vis its democratic citizens’ data. There is no denying that the scope of improvement stands strong in said report. For one, there is no mention of surveillance, another major conduit for data collection and handling, and its regulation. Nonetheless, the report submitted by the Justice BN Srikrishna committee is the country’s first step, and a crucial one too, into the arena of data and its ‘protected’ handling, and would hopefully perpetuate a series of other initiatives in that direction.